OneLogin SAML SSO Integration Set up

Last edited Nov 04, 2020

To add Conformity as a custom SAML 2.0 app in OneLogin:

1. Sign in to OneLogin as an Admin.

2. Go to Applications > Applications.

3. Click the Add App button from the top-right corner.

4. From Find Applications, search and select SAML Test Connector (Advanced).

5. Update Display Name to Cloud Conformity, upload the attached icons, and Save.

6. In Configuration tab, enter the following:

Relay State: REGION_OF_SERVICE:YOUR_DOMAIN for example: us-west-2:example.com
Audience: https://www.cloudconformity.com
Recipient: https://www.cloudconformity.com
ACS (Consumer) URL Validator: https://www\.cloudconformity\.com/v1/proxy/sso/saml/consume
ACS (Consumer) URL: https://www.cloudconformity.com/v1/proxy/sso/saml/consume
Login URL: https://www.cloudconformity.com/identity/saml-sign-in.html
Single Logout URL: https://www.cloudconformity.com/v1/proxy/sso/saml/logout
SAML Initiator: OneLogin
Encrypt assertion: Yes
SAML encryption method: AES-256-CBC
SAML encryption public key: Once you select the Encrypt assertion as ‘yes’ you will be able to see this field. Paste the contents of cloud-conformity-sso-x509.pem

7. In the Parameters tab, add:

firstName (First Name)
lastName (Last Name)
role
- User Roles: select User Roles
- Semicolon Delimited multi-value: to select a semi-colon delimited value:
  - Select the flag from SAML assertion
  - Select Multi-value
  - From the drop-down list, select Semicolon Delimited Input

Make sure that you have selected the flags for SAML assertion and these parameters are all added before you save and move to the next step.

Note: You do not need to map the email.

8. Ensure that OneLogin is configured to send role claim to Conformity:

Create new roles for Conformity Admin, Power-user, Read-only, and Custom roles
In the Access tab, select the roles you created for Conformity:
Verify that the “role” parameter created in step 6 is linked to “User Roles” and configured as a semicolon-delimited input and multi-value output.

Note: We recommend creating a User Role for at least Admin users so we can automatically assign users to their correct role on Conformity side.

Supported roles are:

Admin: This is the super-user or organization administrator, and can perform any operation.
Power-user: Full access to all existing accounts
Read-only: Read-only access to all existing accounts
Custom: No access by default, can be granted account-level permissions on Cloud Conformity user management console.

If you set up User Roles, we would need to know role names to complete the mapping; otherwise, all users will default to Admin.

9. In the SSO tab, set the SAML Signature Algorithm to SHA-512.

10. Click the Save button from the top right of the page to save the app configuration.

11. From the More Actions drop-down, download the SAML metadata XML file. You will need it in the next steps.

12. Follow the instructions from Step 2 onwards to Configure SSO settings in Conformity.

Still need help? Login to Cloud Conformity and submit a ticket to our support team